Version in base suite: 0.641-1

Base version: lrzip_0.641-1
Target version: lrzip_0.641-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/lrzip/lrzip_0.641-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/l/lrzip/lrzip_0.641-1+deb11u1.dsc

 changelog                    |   15 +++++++++
 patches/CVE-2018-5786.patch  |   23 ++++++++++++++
 patches/CVE-2022-26291.patch |   68 +++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2022-28044.patch |   48 ++++++++++++++++++++++++++++++
 patches/series               |    3 +
 5 files changed, 157 insertions(+)

diff -Nru lrzip-0.641/debian/changelog lrzip-0.641/debian/changelog
--- lrzip-0.641/debian/changelog	2021-04-09 15:50:44.000000000 +0000
+++ lrzip-0.641/debian/changelog	2022-05-13 23:39:31.000000000 +0000
@@ -1,3 +1,18 @@
+lrzip (0.641-1+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Security updates:
+    Two issues that allow remote attackers to cause a denial of service via a
+    crafted lrz file:
+    - CVE-2018-5786: Resolve a potential infinite loop and application hang in the
+      get_fileinfo function.
+    - CVE-2022-26291: Resolve a multiple concurrency use-after-free between
+      the functions zpaq_decompress_buf() and clear_rulist().
+    A memory corruption issue:
+    - CVE-2022-28044: Resolve a potential heap corruption.
+
+ -- Stefano Rivera <stefanor@debian.org>  Fri, 13 May 2022 19:39:31 -0400
+
 lrzip (0.641-1) unstable; urgency=medium
 
   * New upstream release:
diff -Nru lrzip-0.641/debian/patches/CVE-2018-5786.patch lrzip-0.641/debian/patches/CVE-2018-5786.patch
--- lrzip-0.641/debian/patches/CVE-2018-5786.patch	1970-01-01 00:00:00.000000000 +0000
+++ lrzip-0.641/debian/patches/CVE-2018-5786.patch	2022-05-13 23:39:31.000000000 +0000
@@ -0,0 +1,23 @@
+From: Con Kolivas <kernel@kolivas.org>
+Date: Tue, 12 Apr 2022 19:05:59 +1000
+Subject: [PATCH] Check for invalid repeated head that can lead to infinite
+ loop in info mode.
+
+Origin: upstream, https://github.com/ckolivas/lrzip/commit/3495188cd8f2215a9feea201f3e05c1341ed95fb
+---
+ lrzip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lrzip.c b/lrzip.c
+index f938a1b..354a88c 100644
+--- a/lrzip.c
++++ b/lrzip.c
+@@ -1059,7 +1059,7 @@ next_chunk:
+ 		do {
+ 			i64 head_off;
+ 
+-			if (unlikely(last_head && last_head < second_last))
++			if (unlikely(last_head && last_head <= second_last))
+ 				failure_goto(("Invalid earlier last_head position, corrupt archive.\n"), error);
+ 			second_last = last_head;
+ 			if (unlikely(last_head + ofs > infile_size))
diff -Nru lrzip-0.641/debian/patches/CVE-2022-26291.patch lrzip-0.641/debian/patches/CVE-2022-26291.patch
--- lrzip-0.641/debian/patches/CVE-2022-26291.patch	1970-01-01 00:00:00.000000000 +0000
+++ lrzip-0.641/debian/patches/CVE-2022-26291.patch	2022-05-13 23:39:31.000000000 +0000
@@ -0,0 +1,68 @@
+From: Con Kolivas <kernel@kolivas.org>
+Date: Sat, 26 Feb 2022 10:11:49 +1100
+Subject: Fix possible race condition between zpaq_decompress_buf() and
+ clear_rulist() function as reported by wcventure.
+
+Origin: upstream, https://github.com/ckolivas/lrzip/commit/4b3942103b57c639c8e0f31d6d5fd7bac53bbdf4
+---
+ lrzip.c  | 8 +++++++-
+ runzip.c | 6 +-----
+ runzip.h | 1 +
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/lrzip.c b/lrzip.c
+index 354a88c..6621131 100644
+--- a/lrzip.c
++++ b/lrzip.c
+@@ -842,8 +842,14 @@ bool decompress_file(rzip_control *control)
+ 
+ 	print_progress("Decompressing...\n");
+ 
+-	if (unlikely(runzip_fd(control, fd_in, fd_out, fd_hist, expected_size) < 0))
++	if (unlikely(runzip_fd(control, fd_in, fd_out, fd_hist, expected_size) < 0)) {
++		clear_rulist(control);
+ 		return false;
++	}
++
++	/* We can now safely delete sinfo and pthread data of all threads
++	 * created. */
++	clear_rulist(control);
+ 
+ 	if (STDOUT && !TMP_OUTBUF) {
+ 		if (unlikely(!dump_tmpoutfile(control, fd_out)))
+diff --git a/runzip.c b/runzip.c
+index 3e59053..7f78e05 100644
+--- a/runzip.c
++++ b/runzip.c
+@@ -246,7 +246,7 @@ static i64 unzip_match(rzip_control *control, void *ss, i64 len, uint32 *cksum,
+ 	return total;
+ }
+ 
+-static void clear_rulist(rzip_control *control)
++void clear_rulist(rzip_control *control)
+ {
+ 	while (control->ruhead) {
+ 		struct runzip_node *node = control->ruhead;
+@@ -378,10 +378,6 @@ static i64 runzip_chunk(rzip_control *control, int fd_in, i64 expected_size, i64
+ 	if (unlikely(close_stream_in(control, ss)))
+ 		fatal("Failed to close stream!\n");
+ 
+-	/* We can now safely delete sinfo and pthread data of all threads
+-	 * created. */
+-	clear_rulist(control);
+-
+ 	return total;
+ }
+ 
+diff --git a/runzip.h b/runzip.h
+index 1ed68e6..310d018 100644
+--- a/runzip.h
++++ b/runzip.h
+@@ -22,6 +22,7 @@
+ 
+ #include "lrzip_private.h"
+ 
++void clear_rulist(rzip_control *control);
+ i64 runzip_fd(rzip_control *control, int fd_in, int fd_out, int fd_hist, i64 expected_size);
+ 
+ #endif
diff -Nru lrzip-0.641/debian/patches/CVE-2022-28044.patch lrzip-0.641/debian/patches/CVE-2022-28044.patch
--- lrzip-0.641/debian/patches/CVE-2022-28044.patch	1970-01-01 00:00:00.000000000 +0000
+++ lrzip-0.641/debian/patches/CVE-2022-28044.patch	2022-05-13 23:39:31.000000000 +0000
@@ -0,0 +1,48 @@
+From: Con Kolivas <kernel@kolivas.org>
+Date: Fri, 25 Feb 2022 22:35:20 +1100
+Subject: Fix control->suffix being deallocated as heap memory as reported by
+ Pietro Borrello.
+
+Origin: upstream, https://github.com/ckolivas/lrzip/commit/5faf80cd53ecfd16b636d653483144cd12004f46
+---
+ lrzip.c | 2 +-
+ main.c  | 6 ++++--
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lrzip.c b/lrzip.c
+index 6621131..38047b4 100644
+--- a/lrzip.c
++++ b/lrzip.c
+@@ -1344,7 +1344,7 @@ bool initialise_control(rzip_control *control)
+ 	control->msgerr = stderr;
+ 	register_outputfile(control, control->msgout);
+ 	control->flags = FLAG_SHOW_PROGRESS | FLAG_KEEP_FILES | FLAG_THRESHOLD;
+-	control->suffix = ".lrz";
++	control->suffix = strdup(".lrz");
+ 	control->compression_level = 7;
+ 	control->ramsize = get_ram(control);
+ 	if (unlikely(control->ramsize == -1))
+diff --git a/main.c b/main.c
+index f70c53a..2f5f551 100644
+--- a/main.c
++++ b/main.c
+@@ -458,7 +458,8 @@ int main(int argc, char *argv[])
+ 			if (unlikely(STDOUT))
+ 				failure("Cannot specify an output filename when outputting to stdout\n");
+ 			control->outname = optarg;
+-			control->suffix = "";
++			dealloc(control->suffix);
++			control->suffix = strdup("");
+ 			break;
+ 		case 'O':
+ 			if (control->outname)	/* can't mix -o and -O */
+@@ -493,7 +494,8 @@ int main(int argc, char *argv[])
+ 				failure("Specified output filename already, can't specify an extension.\n");
+ 			if (unlikely(STDOUT))
+ 				failure("Cannot specify a filename suffix when outputting to stdout\n");
+-			control->suffix = optarg;
++			dealloc(control->suffix);
++			control->suffix = strdup(optarg);
+ 			break;
+ 		case 't':
+ 			if (control->outname)
diff -Nru lrzip-0.641/debian/patches/series lrzip-0.641/debian/patches/series
--- lrzip-0.641/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ lrzip-0.641/debian/patches/series	2022-05-13 23:39:31.000000000 +0000
@@ -0,0 +1,3 @@
+CVE-2018-5786.patch
+CVE-2022-26291.patch
+CVE-2022-28044.patch